I'm using an old computer to build a home router and this is what I have come up with so far for the pf rules. The external interface is set to a static IP from my ISP and the internal in 192.168.2.0/24. I want to NAT everything through the one IP, block all incoming except ssh for now, and limit outbound connections to specific ports/protocols. I also want the firewall to just affect the external zone and not firewall communication between computers on the internal network. Is this a goo setup?

External interface
Incoming traffic on the external interface is originates from the Internet.

Outgoing packets on the external interface are either originated by the PF box itself, or by your local LAN (incoming on your internal NIC)

Internal interface
Incoming packets on the internal interface are generated by your local LAN, and are destined either for the PF box itself, or have to go out from the external interface to the internet.

Outgoing packets on the internal interface either originate locally from the PF box itself , or from the the Internet, where they were incoming on the external NIC.

So this rule has to be adjusted:

Quote:

# Allowed Outbound
pass out quick on $IntIF proto $OB_proto from $IntIF/24 to any port $OB_ports

__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump